Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL) are cryptographic protocols that provide communication security over the Internet.
I followed this guide initially to set up my certificates and keys for ProFTPD and then resulted to the steps below to get TLSv1/SSL3 working with ProFTPD 1.3.2c.
Before you're fully up an running you must make the proftpd.key.pem readable only by root:
chmod 0600 /etc/ssl/private/proftpd.key.pem
chmod 0640 /etc/ssl/private/proftpd.cert.pem
Now to add TLS support to your ProFTPD config, for simplicity I am going to call out of the ProFTPD config file to a TLS specific config:
sudo gedit /etc/proftpd/proftpd.conf
Add the line:
# This is used for FTPS connectionsThen create the TLS config at /etc/proftpd/tls.conf using:
Include /etc/proftpd/tls.conf
sudo gedit /etc/proftpd/tls.conf
Include the following lines:
# Proftpd sample configuration for FTPS connections.I've found that it is critical to have only one TLSOptions line in your config with AllowClientRenegotiation. Otherwise I frequently encountered the following error from my FTP client since the AllowClientRenegotiation option was not parsed correctly from the config file:
#
# Note that FTPS impose some limitations in NAT traversing.
# See http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html
# for more information.
#
<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/proftpd/tls.log
TLSProtocol SSLv23
TLSRSACertificateFile /etc/proftpd/ssl/proftpd.cert.pem
TLSRSACertificateKeyFile /etc/proftpd/ssl/proftpd.key.pem
#
# Avoid CA cert and allow client renegotiation (to overcome 1.3.2c bug 3324)
TLSOptions NoCertRequest AllowClientRenegotiation
#
# Authenticate clients that want to use FTP over TLS?
#
TLSVerifyClient off
#
# Are clients required to use FTP over TLS when talking to this server?
#
TLSRequired on
#
# Allow SSL/TLS renegotiations when the client requests them, but
# do not force the renegotations. Some clients do not support
# SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
# clients will close the data connection, or there will be a timeout
# on an idle data connection.
#
TLSRenegotiate required off
</IfModule>
mod_tls/2.0.6[1395]: unable to accept TLSAllowClientRenegotiations
connection: error:00000005:lib(0):func(0):DH lib
The
mod_tls
will reject any SSL/TLS session renegotiation attempts by the client, in order to mitigate any issues arising from the SSL/TLS session renegotiation vulnerability (CVE-2009-3555). If, however, your particular site or clients absolutely require support for client-initiated SSL/TLS session renegotiations, then this option can be used. This is not recommended as it will leave you susceptible to a man in the middle attack (MITM). In order to get TLS working with ProFTPD 1.3.2c I have had to enable AllowClietnRenegotiations to overcome a know issues related to Bug#3324 which although fixed and should be fixed in 1.3.2c (which is the version in the synaptics repository for 10.04) it wasn't back ported correctly it is however fixed in 1.3.2d but that's not available as standard in 10.04 at this time. AllowClientRenegotiations does make your TLS/SSL connection susceptible to man in the middle attacks.
It kind of defeats the point of using TLS/SSL if you are subject to MITM attacks so I'll look into getting 1.3.2d or 1.3.3 installed on 10.04 Lucid.
google 1123
ReplyDeletegoogle 1124
google 1125
google 1126
google 1127
google 1128